AQUNAMA Privacy Policy — GDPR-Compliant Data Practices

The data controller for personal data processed in connection with this website and our services is:

EndorphinIT a.s.
IČO: 21906998
Registered office: Švábova 772/18, Hlubočepy, 152 00 Prague, Czech Republic
Registered in the Commercial Register maintained by the Municipal Court in Prague, Section B, Insert 28977
Represented by: Daniel Čečetka, člen představenstva

“AQUNAMA” is the trading name under which EndorphinIT a.s. delivers its services. References in this Privacy Policy to “we”, “us”, “our”, “AQUNAMA”, or “the Controller” refer to EndorphinIT a.s.

For all data protection matters — including requests to exercise your rights — contact us at:

Email: start@aqunama.com
Postal address: Švábova 772/18, Hlubočepy, 152 00 Prague, Czech Republic

We respond to all data protection requests within thirty (30) days, as required by Article 12(3) GDPR. In complex cases, this period may be extended by a further sixty (60) days, in which case you will be informed.

For the purposes of this Policy:

• “Personal data” means any information relating to an identified or identifiable natural person.
• “Processing” means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
• “Controller” means the entity that determines the purposes and means of processing personal data.
• “Processor” means a third party that processes personal data on behalf of the Controller.
• “Data subject” means the natural person whose personal data is being processed.

We collect the following categories of personal data:

a) Identification and contact data

• First name and surname
• Job title or role (where provided)
• Company or organization name
• Business email address
• Telephone number (where provided)
• Postal or business address (where provided)

b) Communication data

• The content of any messages you send us via contact forms, email, scheduling tools, or phone
• Records of correspondence and call transcripts (where applicable and lawful)
• Metadata about your communications (timestamps, channels used)

c) Booking and scheduling data

• Date and time of any scheduled calls or meetings
• Area of interest selected
• Conferencing platform details

d) Technical and usage data

• IP address
• Browser type, version, and language preferences
• Operating system and device type
• Pages visited, time spent on pages, and click paths
• Referring website and exit pages
• Date and time of access
• Approximate geographic location (derived from IP)

e) Marketing data (only where consented)

• Subscription preferences
• Engagement with marketing communications (opens, clicks)
• Source and campaign attribution

We do not knowingly collect special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data). If you provide such data voluntarily through correspondence, we will only process it as strictly necessary to respond to your request.

We collect personal data through the following channels:

• Directly from you — when you submit a form, send us an email, book a call, or otherwise communicate with us
• Automatically — when you visit our website, via cookies and similar technologies
• From third parties — including business directories, LinkedIn, and publicly available business information used solely for B2B outreach to professional contacts at companies that match our target client profile
• From your employer — if you are introduced to us as a representative of an organization that is a client, supplier, or partner

Where personal data is collected from third parties, we ensure that the source had a lawful basis to share it and provide notice in accordance with Article 14 GDPR.

We process personal data only when at least one of the legal bases under Article 6 GDPR applies. The table below sets out our processing purposes and the corresponding legal bases:

Where processing is based on legitimate interest, we have conducted a balancing assessment to ensure that our interests do not override your fundamental rights and freedoms. You may object to such processing at any time (see Section 15).

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

After the applicable retention period expires, personal data is securely deleted or fully anonymized.

We do not sell, rent, or trade personal data. We share personal data only with the following categories of recipients:

a) Sub-processors (data processors acting on our behalf):

• Calendly Inc. (USA) — scheduling of discovery calls
• Email service providers (e.g., Microsoft, Google Workspace) — email infrastructure
• Analytics providers (e.g., Google Analytics) — website analytics, only with your consent
• Marketing platforms (e.g., Meta, LinkedIn) — advertising, only with your consent
• CRM and customer support platforms — managing client and prospect relationships
• Hosting and infrastructure providers — including AQUNAMA's own Tier III, ISO 27001-certified data center in the Czech Republic
• Legal, accounting, audit, and IT service providers — under data processing or confidentiality agreements

b) Other recipients:

• Affiliates and group companies — where strictly necessary for service delivery
• Public authorities, regulators, and courts — where required by law
• Acquirers or successors — in the event of a merger, acquisition, or sale of business assets (subject to the same protections as set out in this Policy)

All sub-processors operate under written data processing agreements that comply with Article 28 GDPR. A current list of our material sub-processors is available on request from start@aqunama.com.

Some of our sub-processors are based outside the European Economic Area (“EEA”). When personal data is transferred outside the EEA, we ensure that one of the following safeguards is in place, as required by Chapter V GDPR:

• The European Commission has issued an adequacy decision for the destination country
• We rely on the European Commission's Standard Contractual Clauses (SCCs) with the recipient
• The recipient is certified under an applicable transatlantic data privacy framework
• Another lawful safeguard recognized under GDPR is in place

A copy of the relevant transfer safeguards is available on request from start@aqunama.com.

This website uses cookies and similar technologies. Cookies are small text files placed on your device to enable the website to function, measure performance, and (where you consent) personalize content and advertising.

We use three categories of cookies:

a) Necessary cookies

Required for the website to function. These cookies do not require consent and cannot be disabled.

Examples: session management, cookie consent record, security tokens, load balancing.

b) Analytics cookies

Help us understand how visitors interact with our website. Set only with your prior consent.

Examples: Google Analytics or equivalent measurement tools.

c) Marketing cookies

Used by us and our advertising partners to deliver relevant advertising and measure campaign performance. Set only with your prior consent.

Examples: Meta Pixel, LinkedIn Insight Tag, similar platforms.

You can review and manage your cookie preferences at any time via the cookie banner shown on your first visit or via the “Cookie Settings” link in the footer of every page. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

If you provide your business contact details in the context of an inquiry or existing engagement, we may use those details to send you direct marketing communications relating to our services, on the basis of our legitimate interest.

Every direct marketing communication includes an unsubscribe link. You may withdraw at any time by clicking unsubscribe or contacting start@aqunama.com.

For new prospects, direct marketing is only sent on the basis of explicit consent, in line with applicable Czech and EU electronic communications law.

We do not engage in automated individual decision-making, including profiling, that produces legal or similarly significant effects on you as defined in Article 22 GDPR.

We may use aggregated, anonymized analytics to improve our website and services. This processing does not involve personal data.

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, accidental loss, or destruction. These measures include, where appropriate:

• Encryption of data in transit (TLS) and, where applicable, at rest
• Access controls based on the principle of least privilege
• Multi-factor authentication for administrative access
• Regular security testing and vulnerability management
• Staff training on data protection obligations
• Confidentiality agreements with all employees and processors
• Hosting in ISO 27001-certified, Tier III data center infrastructure
• Audit logging and monitoring of access to personal data

Despite our reasonable efforts, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, we will:

• Notify the Czech Data Protection Authority (Úřad pro ochranu osobních údajů) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR
• Notify affected data subjects without undue delay, where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34 GDPR
• Document the breach, its effects, and remedial actions taken in our internal breach register

You have the following rights regarding your personal data:

• Right of access (Art. 15) — request confirmation of whether we process your data and obtain a copy
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data
• Right to erasure (Art. 17) — request deletion of your data, subject to applicable legal exceptions
• Right to restriction of processing (Art. 18) — request that we limit how we process your data
• Right to data portability (Art. 20) — request a copy of your data in a structured, commonly used, machine-readable format
• Right to object (Art. 21) — object to processing based on legitimate interest or direct marketing
• Right to withdraw consent (Art. 7(3)) — withdraw any consent previously given, at any time, without affecting the lawfulness of processing before withdrawal
• Right not to be subject to automated decisions (Art. 22) — (see Section 12 — we do not engage in such processing)

To exercise any of your rights, contact us at start@aqunama.com. We may need to verify your identity before responding to your request, in order to protect your data from unauthorized disclosure.

We will respond within 30 days of receiving a verifiable request. In complex cases this period may be extended by up to 60 days, in which case you will be informed of the reason for the delay.

Exercising your rights is free of charge, except in cases where requests are manifestly unfounded or excessive (in which case we may charge a reasonable administrative fee or refuse the request, as permitted under Article 12(5) GDPR).

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority — particularly in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement.

The relevant authority in the Czech Republic is:

Úřad pro ochranu osobních údajů
Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
Website: www.uoou.cz

This website and our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, contact us at start@aqunama.com and we will take appropriate steps to delete it.

This Privacy Policy is drafted in accordance with EU law. Where you access this website from outside the EU/EEA, please be aware that personal data may be transferred to and processed in the European Economic Area, where data protection laws may differ from those in your jurisdiction. By using this website, you consent to such transfers where required.

We may aggregate or anonymize personal data so that it can no longer be associated with an identifiable individual. Such aggregated or anonymized data is not subject to this Privacy Policy and may be used or shared without restriction.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The “Last updated” date at the top of this Policy reflects the most recent revision.

Material changes will be communicated via prominent notice on the website. Continued use of the website after changes are posted constitutes acceptance of the updated Policy.

For any questions about this Privacy Policy, our data processing practices, or your personal data, contact us at:

Email: start@aqunama.com
Postal address: EndorphinIT a.s., Švábova 772/18, Hlubočepy, 152 00 Prague, Czech Republic